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Short History 



Mar. 



• Finished MIT in 2005 with M.Eng in Electrical Engineering 
and Computer Science 

• Founded Redwire, LLC 

• Design firm focused on designing and integrating mechanical, 
electrical, and software systems 

• Quick-turn prototypes 

• Almost always need a microcontroller 



Quick-turn prototypes 



• Usually under-specified 

• Under-time pressure 



Has some kind of "technology risk" 

• fancy sensor (e.g. cap-sensor, CCD line scanner, ) 

• odd feature 

• usually related to the core reason for making the device in the 
first place (so you can't design it out) 



Quick-turn prototypes 



• Usually under-specified 

• Under-time pressure 

• Has some kind of "technology risk" 

• fancy sensor (e.g. cap-sensor, CCD line scanner, ) 

• odd feature 

• usually related to the core reason for making the device in the 
first place (so you can't design it out) 

• and "wireless" 



Quick-turn Prototypes 



The last thing you want when dealing with all of this is: 

• a unknown microcontroller 

• a "tight fit" microcontroller 

• not enough RAM 

• not enough processing 

• not enough pins 

• a crummy set of expensive, proprietary compilers ( i.e. IGCC ) 

• crummy programming hardware 



for me, ARM is the answer 



Many types and sizes of ARMs 

• you can almost always find a "good-fit" 

• or the right peripheral 

almost everyone makes an ARM (list a bunch of 
manufacturers) 

Most have bootloaders and self-flashing 



when ARM isn't the answer 



• 



Low cost <$1 (cheapest is something like LPC1111 « $1.30) 
Very small footprint (checkout PIC10/12 in a SOT-23-6) 
• ...although NXP just released the LPC1102: 16-pin 2mm x 
2mm BGA (20 April 2010) 

... many other times ... 



"...so let's try out the MC13224v" 



• ARM7 

• Lot's of I/O (up to 64) 

• smallish: 9.5mm x 9.5mm 

• 96KB RAM 

• On-chip bootloader 

• J TAG 

• usual microcontroller stuff (ADCs, timers, UARTs, I2C, SPI, 
etc..) 

• » $5 
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• ARM7 

• Lot's of I/O (up to 64) 

• smallish: 9.5mm x 9.5mm 

• 96KB RAM 

• On-chip bootloader 

• J TAG 

• usual microcontroller stuff (ADCs, timers, UARTs, I2C, SPI, 
etc..) 

• » $5 
And wireless: 

• 2.4 GHz 802.15.4 radio (250kbps, 125 byte payloads) 

• 50 J7 single-ended RF connection 



Easy RF 



50 Q single-ended RF connection 

• MC13224v is a hybrid package 

• integrates balun — single-ended antenna (e.g. PCB trace) 

• integrates matching network 

• factory tuned parameters in NVM 

Hook it up and it works — with RF, this is an exception not the 
rule. 



"Looks good right?" 



Development Timeline 
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27 
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01 


April 


2009 



Finish rl pcbs 

Blinking led (good bootloader/toolchain) 

starting radio driver... 



.now for the bad news 



From the Reference Manual: 
NOTE 

The MAC A is not used as a standalone function. It is 
an integral part of the complete IEEE 802.15.4 Standard 
MAC/PHY services provided on the MC1322x. This 
chapter provides a reference to understand basic 
operation of the MACA, but is not intended as an 
applications guide to implement the 802.15.4 MAC 
function. Freescale provides the complete MAC solution 
onboard and intends the user to access the functionality 
through the provided software tools. 



.now for the bad news 



From the Reference Manual: 
NOTE 

The MAC A is not used as a standalone function. It is 
an integral part of the complete IEEE 802.15.4 Standard 
MAC/PHY services provided on the MC1322x. This 
chapter provides a reference to understand basic 
operation of the MACA, but is not intended as an 
applications guide to implement the 802.15.4 MAC 
function. Freescale provides the complete MAC solution 
onboard and intends the user to access the functionality 
through the provided software tools. 

...uh-oh. 



luckily, Freescale gave me enough 



004030ec 
4030ec 


<SetChannel 
b430 


4030ee 


4b Id 


4030f0 
4030f2 


681c 

4dld 


4030f4 
4030f6 
4030f8 


4025 
601d 
60d9 


4030fa 
4030fc 


611a 
6bl9 


4030fe 
403100 


2202 
430a 


403102 
403104 
403106 
403108 
40310a 


631a 
6bl9 
2204 
430a 
631a 


40310c 
40310e 


0011 

4a06 


403110 
403112 


400a 
4923 


403114 


1808 


403116 


7a00 


403118 
40311a 
40311c 
40311e 


0200 
21f8 
0149 
4001 


403120 


4311 


403122 


6319 



push 


{r4 


, r5} 




//rO = chan_num rl=vcodivI r2=vcodivF 


ldr 


r3, 


[pc, 


#116] 


(403164 <GetCurrentChannel+0x38>) 


ldr 


r4. 


[r3, 


#0] 


//r4 = +0x80009800 


ldr 


r5, 


[pc, 


#116] 


(403168 <Get Current Channel+0x3c>) //Oxbfffffff 


ands 


r5, 


r4 




// 


r5 = +0x80009800 k Oxbfffffff 


str 


r5. 


[r3 


#0] 


// 


+0x80009800 = r5 


atr 


xli 


[r3, 


#12] 


// 


+0x80009800+12 = r3 


atr 


r2, 


[r3, 


#16] 


// 


+0x80009800+16 = r2 


ldr 


rl, 


[r3, 


#48] 


// 


rl = +0x80009800+48 


mova 


r2. 


#2 




// 


r2 = 2 


orrs 


r2, 


rl 




// 


r2 = rl 1 2 


atr 


r2, 


[r3, 


#48] 


// 


+0x80009800+48 = r2 


ldr 


rl, 


[r3, 


#48] 


// 


rl = +0x80009800+48 


mova 


r2, 


#4 




// 


r2 = 4; 


orrs 


r2, 


rl 




// 


r2 = rl 1 4 


atr 


r2. 


[r3, 


#48] 


// 


// +0x80009800+48 = r2 


lala 


rl, 


r2. 


#0 


// 


rl = r2 


ldr 


r2, 


[pc, 


#24] 


(403128 <SetChannel+0x3c>) r2 = OxffffeOff; 


anda 


r2, 


rl 




// 


r2 = rl & OxffffeOff; 


ldr 


rl, 


[pc, 


#140] 


(4031aO <fill_ram_struct+0xl8>) // rl gets &ra 


adda 


rO, 


rl, 


rO 


// 


offset 


ldrb 


rO, 


[rO, 


#8] 


// 


rO gets ram_init_val+8+off set = buffer_radi 


lala 


rO, 


rO, 


#8 


// 


shift that left 8 


mova 


xli 


#24 r 




// 


rl = 248 


lala 


*1> 


rl, 


#5 


// 


rl = OxlFOO 


anda 


rl, 


rO 




// 


rl gets rO & OxlFOO 


orra 


xli 


r2 




// 


ored with r2 


atr 


*1> 


[r3, 


#48] 


// 


r3+48 gets rl... 0x80009800+48 



After a lot of reversing, 



/ asm2c.mar < MACPHY.a 

I was able to replace all of the necessary radio functions. 



#define ADDR CHANl 0x80009800 
#define ADDR_CHAN2 (ADDR_CHAN1+12) 
#define ADDR_CHAN3 (ADDR_CHAN1+16) 
#define ADDR.CHAW4 (ADDR_CHANl+48) 

chan) { 
safe_irq_disable(MACA) ; 

tmp = reg(ADDR_CHANi) ; 
tmp = tmp & Oxbfffffff; 
reg(ADDR_CHANl) = tmp; 
reg(ADDR_CHAN2) ■ VCGDivI [chan] ; 
regCADDR_CHAH3) ■ VC0DivF[chan] ; 

tmp = reg(ADDR_CHAN4) 
tmp = tmp | 2 ; 
reg(ADDR_CHAH4) = tmp 

tmp = reg(ADDR_CHAH4) 
tmp = tmp | 4 ; 
reg(ADDR_CHAN4) = tmp 

tmp = tmp & OxffffeOff; 

tmp ■ tmp | (((ctov[chan] )<<8)&0xlF00) ; 

reg(ADDR_CHAW4) = tmp; 

/* dull! */ 

irq.restoreO; 



set.power, set_channel, set_demodulator_type, reset_maca, init_phy, 
flybackJnit, ResumeMACASync, radioJnit, init_from_flash 



flash came along for the ride 



init_from_flash was one of the final pieces of the puzzle. It loads 
factory program calibration data from the last page of NVM. 
So I figured out how to use the ROM functions for this: 

nvmErr_t ( *nvm_read) 

(nvmlnterf ace_t nvmlnterface , nvmType_t nvmType , void *pDest, uint32_t address, uint32_t numBytes) 

■ (void *) 0x00006d69; 

void(*nvm_setsvar) 
(uint32_t zero_f or_awesome) 

■ (void *)0x00007085; 

and wrote flasher. c so you could flash an image. 



Development Timeline 
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Finish rl pcbs 

Blinking led (good bootloader script and toolchs 

starting radio driver... 

first successful RX 

flashing, sleeping, timers, interrupts... 

released Redbee Module and Dev. 

released Redbee EconoTAG 

finish revamped maca driver 

...now 



Hardware 



The Chip 





• LGA145 package (Land Grid Array) 

• 16 pads per side, 9x9 grid of underpads 

• 9.5mm x 9.5mm 



Essential Pins 



ADCO K 

ADC1 \Z 

ADC2 C 

ADC3 L 

ADC4 L 

ADC5 C 

ADC6 C 

ADC7 RTCK C 

TDO L 

TDI L 

TCK C 

TMS C 

UART2 RTS C 

UART2 CTS C 

UART2 RX \Z 

UART2 TX L 
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Hnnnnnnnnnnnnnnn 



| /Substrate GND Pads 

B BMBB BBB 
BlHHHHHlBBB 
000000000 
010000000 
BR ^|B B B H0H 
BBBB^gBBB 

bbbbbe31bbb 
b |bbbbb| bbb 

BBBBEfBBBB 

Active Signal Pad; 



« 0] XTAL 32 OUT 

« 0] XTAL_32_IN 

« I] RF_PLL_FLT 

« 0] VBATT 

« II LREG BK FB 

« H COIL BK 

« II KBI HST_WK 

« H KBI_1 

"> 3 KBI_2 

» 3 KBI_3 

^ 0] KBI_4 

= 3 KBI_5 

36 H KBI_6 

= 3 KBI_7 

» 3 SSI_TX 

* 3 SSI RX 



I U U U U U I 



• 2 power pads 

• Reset, clock, and antenna 

• VREF2 can set an Erase 
mode 

• Many ground pads 

• OK to run 58 to 77 
through 68 
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...and some way to program it 



ADCO K 

ADC1 L0 

ADC2 L_ 

ADC3 L 

ADC4 L 

ADC5 C 

ADC6 

ADC7 RTCK 

TDO L 

TDI L 

TCK 

TMS 

UART2 RTS 

UART2 CTS 

UART2 RX 

UART2 TX 
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B 



as 



00000 


00000 


00000 


H H||H H H 


HHHH|0 


BBHBB 


BBHHB 



BB 



/Substrate GND Pads 

00000 
000 
000 
000 
000 
000 
000 

0^0000 

Active Signal Pad; 



« 3 XTAL 32 OUT 

« U XTAL 32 IN 

« _] RF_PLL FLT 

«■ n VBATT 

" 11 LREG BK FB 

« n COIL BK 

« 3 KBI _HST_WK 

« n KBI_1 

"> n KBI_2 

*« 3 KBI_3 

^ n KBI_4 

= 3 KBI_5 

36 _] KBI_6 

= 3 KBI_7 

" 3 SSI_TX 

* 3 SSI RX 



uuuuuuuuuuuuuuuu 



J TAG 
Bootloader 

• UART1 

• RX and TX 

• RTS must be LOW 
on RESET to enter 
UART1 bootloader 

• I2C 

• SPI 



CO CO X X < -J S3 

t- t- o: i- o u 0- 

a o j j « mE 



Example 2-layer breakout 




S^ TO £?&dl 

isiiiiiiiimu 



• No underpads broken out 

• 4pcb 33-each (6 mil space/width, 10 mil drill, 20 mil vias) 



4-layer full-breakout 




■■llllliliil^v^ 1 




4pcb 66-each (6 mil space/width, 10 mil drill, 20 mil vias) 
some underpads removed to make room for vias (vias are 
covered with stop mask) 
gnd fill omitted for clarity 



Easier to solder than it looks 



If you can do fine pitched QFN packages you won't have too much 
more trouble with this. 

Without a stencil: 

• Thin bead of solder paste on the outside pins 

• Solder paste on the ground underpads 

• Small amount on the peripheral underpads 

Skillet. Touch up outside pads by hand. 



EconoTAG and QuahogCon Badge 




QC badge: 



• has batteries 

• more leds 

• mini-B instead of USB-A 




Other hardware 



Checkout: 

http://mcl322x.devl.org/hardware.html 



QuahogCon Badge 



• power 

• ground 

• 24MHz main clock 

• pads for 32kHz clock 

• provisions buck converter 
(more on that later) 




MC13224U-LGA145 



RF section 



Ul.RF 

TX_0N/GPI044 

Pft_NEG 

PfLPOS 

RF_BIAS 

flNT_l/GPI042 

ANT_2/GPI043 

RF_GND 

RX_0N/GPI045 

RF_RX_TX 



_52 TY_nM 

53 

54 

55 
_5S npm4? 



_5Z nprn43 



MC13224U-LGA145 



S3 

-EN — 

Q4 

-w — 

GREEN 



Wr-i 
'20 _|_ 



22e 

R11 



-Wr-i 

82 X 



V 



^T 



• TX_ON and RX_ON have special function: hooked up to 
LEDs. 

• RF_RX_TX goes to pads for a matching network and to an 
inverted-F PCB antenna 

• other pins are used with external RF components (PA, LNA, 
switches) 



buttons 



KRT-I KRTR 



E\ " E 



\, 



KRT^ 1 KRT4 



• two push buttons connected to KBI pins 



FT2232 





63 




64 




6? 




61 




1 


^ Ann 


2 




3 




4 




5 




6 




7 


PTTk 


a 



n.DCl_UREFH/GPIO40 
ADC2_UREFH/6PI038 

0DCl_URCrL/6PI041 
nDC2_URErL/6PI039 

ADC0/GPIO30 
ADC1/GPI031 
nDC2/GPI032 
nDC3/GPI033 
0.DC1/GPI031 
nDC5/GPI035 
nDC6/GPI036 
ADC7_RTCK/GPI037 



MC13224U-LGA145 



* 



TDO/GPID-ra 
TDI/GPI048 
TCK/GPI047 
TMS/GPI046 
RESETB 



MC13224U-LGA14F- 



next slide: FT2232: two channels JTAG and UART with 
bit-banging on reset, VREF2, and RTS 
funny R6 and R8 values reduce leakage while 
sleeping (< 1/zA) 
VREF2 and reset 
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Mode jumpers: VREF2 erase 




Manual VREF2 erase: 

• Short JP15 and JP16 as shown. 

• Press reset — wait 1-2 sec. Flash is now erased. 

• Open JP15 and JP16 for normal use. 



Mode jumpers: RTS low- UART1 bootloader 




Force RTS low to enter UART1 bootloader: 

• Short JP3: OK to leave it like that. 

• Usually not necessary, but when RTS goes low depends on 
your terminal/loading program. So you may need this. 



Other Jumpers 




• JP17- USB pins 

• JP13 - up to 16V input 

• JP11 - 3v55 



• JP4 - FT2232 power (normally 
short) 

• JP12 - VBAT input 3v6 max 

• breakout pins 



Sleep current — (see Iibmcl322x/tests/sleep.c) 



Doze vs. Hibernate trades time base accuracy vs. power 
consumption. 

• Hibernate uses RTC which is either a crummy built-in ring 
oscillator or much better 32kHz crystal (< 2uA) 

• Doze uses very good 24 MHz main reference (70uA). 

32kHz will be much more stable than the ring oscillator, but it 
might not be exactly 32kHz (depending on how you well you do 
with the trims) 

You can calibrate the ring oscillator against the 24MHz main 
reference. Maybe wake up periodically and re-calibrate. 



Sleep current cont'd 



2.0 uA - hibernate, retains RAM page 
+ 8.0 uA - retain CPU state 

+ 2.0 uA - each addition page retained (pages 1,2, and 3) 
+ 68.0 uA - doze mode 
+ ? uA - power GPIO 

(depends on GPIO hookup; can select which pins to power) 

Waking up: 

• Timers 

• ADC 

• external interrupts (KBI4-7) 



Run current 



Running (bus-stealing can save l-2mA) 

RX 

TX -30dBm 

TX OdBm 

TX 4.5dBm 

radio on, but idle 
NCD demodulator increases receiver sensitivity from -96dBm to 
-lOOdBm: increases current by 2mA. 



-5 


mA 


26 


mA 


18 


mA 


31 


mA 


44 


mA 


8 


mA 



Software 



"...the slog" 

No answers, but many things to try: 

• OE mcl322x overlay (mcl322x.devl.org) 

• open-mcl3224v scripts (and other code — check it out) 

• QC Virtual Box image (didn't work on any of my machines — 
but my machines are crummy) 

• MacOSX (currently has some issues) 

• Andrew Pullin's scripts: 
http://andrewpullin.org/tools/arm/buildscript.sh (newlib) 

• Kevin Townsend: http://tinyurl.com/2br7827 (windows, gcc) 

Setting up a Toolchain, a common story: 

/ started the OE build and once I realized it was going 
to take 5 hours I tried to get [such and such working]. 
Then the OE build finished so I stopped. 



THUMB 



ARMs are 32-bit CPUs but have a 16-bit instruction mode called 

THUMB. 

ARM: 



400020 
400020 


<_begi 


e321f0dl 


msr 


CPSR_c, 


#209 


Oxdl 




400024 
400028 




e59fd7b8 
e321f0d2 


ldr 


sp, [pc 

CPSR_c, 


, #1976] 
#210 


4007e4 
0xd2 


<reset_cpu+0x4> 


40002c 
400030 




e59fd7b4 
e321f0d3 


ldr 


sp, [pc 

CPSR_c, 


, #1972] 
#211 


4007e8 
0xd3 


<reset_cpu+0x8> 


400034 
400038 




e59fd7b0 
e321f0db 


ldr 


sp, [pc 

CPSR.c, 


, #1968] 
#219 


4007ec 
Oxdb 


<reset_cpu+Oxc> 



THUMB: 



40096c 


< 


real 


start 


_of main> : 














40096c 






b570 




push 


<r4, r5 


r6, 


Lr> 




40096e 






4808 




ldr 


rO, [pc 


#32] 




(400990 <.real_stai 


t_ofmaia+0x24>) 


400970 






4908 




ldr 


rl, [pc 


#32] 




(400994 <.real_stai 


t_ofmaia+0x28>) 


400972 






2200 




movs 


r2, #0 










400974 






4b08 




ldr 


r3, [pc 


#32] 




(400998 <.real_stai 


t_ofmain+0x2c>) 



Interworking lets you mix ARM/THUMB instructions. You need 
this for two reasons: 

• ARM7 interrupts are ARM only 

• mcl3224v ROM is mostly THUMB (except rom_data_init) 



Libc issues 

• Glibc has OS related stuff like sockets and files so sometimes 
you need to make stubs. 

Stubs for libm and sqrt(): 

FILE *stderr; 

void assert_f ail (void) { 

return; 
} 
int f puts (const char *s , FILE *stream) { 

return 0; 
} 

size_t fwrite(const void *ptr, size_t size, size_t nmemb, 
FILE *stream) { 

return 0; 



> 



• Glibc also seems to annoy people. 

• Newlib makes bigger binaries than glibc — and not too many 
people have gotten this to work easily (with THUMB and 
interworking, building it in the first place, etc..) 

• haven't tried uClibc, maybe it's the answer... 



VM issues 



Some people setup VM's to do this work: 

• Timing problems with mcl322x-load.pl, the VM, and the 
bootloader. 

• Too slow, doesn't work, etc... 

• Doesn't sound like a bad plan but it could use a new utility to 
replace mcl322x-load.pl 

• bbmc should still be fine if you have USB working 



LIBMC1322X 



...once you do have a toolchain that makes you "happy", a good 
place to start is LIBMC1322X: 

• library code for peripherals with unit tests 

• good radio driver with zero-copy packet interface 

• easy to build for multiple boards 

• easy to use as a submodule for standalone mcl3224v projects 
(no OS features like threads) 

• e.g. Iinux802154-serialdev 

• easy to pull in as a subtree into existing projects 

• e.g. contiki-mcl322x 

• has useful tools 

• mcl322x-load.pl 

• bbmc 



Bootloader 

On reset: 

• If RTS is LOW on RESET, and 

• there is NOT a valid image in: NVM, SPI, or I2C, then 

• UART1 starts looking for code. 

The steps to send an image over UART1 are: 

• send a (0x0, not '0') 

• the mcl3224v auto bauds and sends back "CONNECT" 

• you send it length and the bytes of the image 

• the mcl3224v copies the bytes to 0x400000 (start of RAM) 
and jumps there. 

• Off it goes! 

$ . ./tools/mcl322x-load.pl -f rftest-tx_redbee-dev.bin -t /dev/ttyUSBO 



Flashing an image 

mcl322x-load.pl has a secondary image send that can interact with 
a flashing stub (e.g. flasher.c) 

$ . /mcl322x-load.pl -f flasher_redbee-econotag.bin \ 
-s blink-red_redbee-econotag.bin \ 
-t /dev/ttyUSBl 

<press reset button> 

CONNECT 

Size: 9552 bytes 

Sending flasher.bin 

secondary send. . . 

.Detecting internal nvm 

nvm_detect returned: 0x00 type is: 0x00000001 

nvm_erase returned: 0x00 

type is: 0x00000001 
ready 

Size: 4820 bytes 
Sending blink-red.bin 
done sending files, 
len: 000012d4 

type is: 0x00000001 
nvm_write returned: 0x00 
flasher done 

<press reset button> 



Erasing 



Now that you have a valid image in NVM you will not be able to 
use the bootloader without erasing the flash (or invalidating the 
image). 

• already showed how to do a manual VREF2 erase 

• you can use the bbmc utility to bitbang a VREF2 erase with 
the FT2232H 

./bbmc -1 redbee-econotag erase 

• BBMC will prompt you if you have more than one device with 
the same vendorJd and productJd (e.g. more than one 
econotag/quahocon-badge) 

• It's easy to configure for your own hookup (to use different 
pins or channels) 



Erasing: by invalidating the image with JTAG 



• Another way to get back to the bootloader is to run a 
program that clobbers the magic number in the image. 

• You can do this if you have JTAG access 

• unbrick.bin: modified version of nvm-write.c — clobbers the 
first four bytes which contains "OKOK" or "SECU" in a valid 
image. 

• Stop the processor and load with OpenOCD or through GDB 



OpenOCD 



• need Openocd > v0.3 

• Config files mainlined as of Feb. 28, 2010 (after v0.4) 

• Get recent version of openocd or use the openocd. cfg on 
mcl322x.devl.org 

• Doesn't support flashed yet. (but it should be "easy" for 
someone to add.) 

openocd -f board/redbee-econotag. cf g 



OpenOCD telnet interface 



$ telnet localhost 4444 

> sof t_reset_halt 

requesting target halt and executing a soft reset 

target state: halted 

target halted in ARM state due to debug-request , current mode: Supervisor 

cpsr: 0x000000d3 pc : 0x00000000 

> load_image /tmp/rf test-tx.bin 0x00400000 

10376 bytes written at address 0x00400000 
downloaded 10376 bytes in 0.569674s (17.787 kb/s) 

> resume 0x00400000 



GDB 



• need version 7.0.1 

• 6.8 and 7.1 don't work with THUMB... 

• need to build for arm target: ./configure 
— target=arm-linux 

• need to use hardware breakpoints if you are tracing through 
ROM (set gdb_breakpoint_override hard in openocd ) 

my .gdbinit: 

define conn 

target remote localhost :3333 

end 

define go 

monitor sof t_reset_halt 

set *0x80020010 = 

load 

monitor reg pc 0x00400000 

end 

Run from emacs with M-x gdb on the .elf 



Radio initialization 



trim_xtal() ; 
vreg_init () ; 
maca_init () ; 
set_channel(0) ; 
set_power(0xl2) ; 



/* 802.15.4 channel 11 */ 

/* 0x12 is the highest, 4.5dBm */ 



Radio packet interface 



MACA driver keeps a fixed pool of packets. Has a TX and RX 
queue. 

struct packet { 

uint8_t length; 

/* offset into data for first byte of the packet payload */ 

/* On TX this should be */ 

/* On RX this is 1 since the maca puts */ 

/* the length as the first byte*/ 

uint8_t offset; 

/* +2 for FCS; */ 

/* + 1 since maca returns the length as the first byte */ 

uint8_t data[MAX_PAYL0AD_SIZE+2+l] ; 
}; 
typedef struct packet packet_t; 



sending and receiving 



Sending a packet: 

volatile packet_t *p; 
p = get_f ree_packet () ; 

if(p) { 

f ill_packet (p) ; 

tx_packet (p) ; 
} else { 

printf ( ( 'can't get free packet\n''); 
} 



Receiving packets: 

if ( (p = rx_packet () ) ) { 

/* print and free the packet */ 
print_packet (p) ; 
f ree_packet (p) ; 



Basic driver operation 



• turns on receiver with a soft-timeout — receives packets 

• after timeout, transmits all packets in TX queue (if any) 



• repeat. 



ISR callbacks 



Called from the interrupt handler when a packet is received or just 
transmitted. 

void maca_rx_callback(volatile packet_t *p) ; 
void maca_tx_callback(volatile packet_t *p) ; 



check.maca 



Unfortunately the radio has some periodic problems. 

• Sometimes the maca clock stops 

(not often, and usually when I do something wrong) 

• Completion clocks don't generate interrupts 

(usually from RX — > TX transmission or fast back to back TX) 

Periodic calls to check_maca will detect these and fix it up 
accordingly. 

There are other more complicated radio drivers that I've started 
reversing, but so far they don't work well... 



List of things we have 



We have completed or a good start on: 

• Interrupts 

• Timers 

• ADC 

• Sleep 

• UART 

• Radio 

• Bootloader 

• RTC 

• GPIO (including KBI) 



Things we don't have yet 



Don't have yet: 

• Buck 

• Clocks other than 24MHz 

• Advanced Security Module (hardware AES) 

• Fancy timer modes (PWM etc..) 

• I2C 

• SPI 

• SSI 

• Fancy ADC modes (auto-trigger, ADC wakeup) 



Questions 



Questions 



Thanks for listening; I hope you enjoyed it! 

If there is time remaining I'll gladly take questions. 



802.15.4 



Specifies: 

• the physical layer (channels, modulations, bit-rates) 

• packet format 

• types of packets and what they are used for 
It does not specify: 

• meshing 

• routing 

• multi-hopping 

• sleeping 

• synchronizing 

That's what the dark world of protocols that use 802.15.4 is all 
about... 



Zigbee 



I'm not the person to talk about Zigbee. Check out: 

• Freaklabs.org: FreakZ open-source Zigbee stack 

• Josh Wright's Killer Bee talk, tomorrow at 1100. 



6 Low PAN 

IPV6 over 802.15.4. Addresses: 

• fragmentation (IPV6 MTU is fixed at 1280 bytes, while 
802.15.4 payload is 125 bytes max.) 

• header compression 

• lot's of other details (like deriving link-local addresses from 
mac addresses, etc..) 

Does NOT do routing. With 6LowPAN you can: 

• mesh-under: the whole PAN is the link-local scope 

• route-over: each node hasn't it's own link-local scope of 
nodes within range. IPV6 routing used. 

also doesn't address beaconing/sleeping/syncronization... 



other protocols that use 802.15.4 



and there are many more: 

• 802.15.5 

• wirelessHART 

• ISAlOO.lla 

• Synapse SNAP 

• USNAP 

• RIME 

...endless pain and suffering. 



Contiki 



Many features: 

• full IPV4/6 stack: UIP 

• servers and clients: udp, tcp, webservers 

• coffee filesystem 

• prototh reads 

• event timers 

• RIME wireless stack (meshing, duty-ratio power saving, 
various other mesh protocols) 

• route-over 6LowPAN 



Contiki-mcl3224v 



• contiki-mcl3224v port will be mainlined in the next Conitki 
release (2.5) in June or so. (feel free to help!) 



Linux 802.15.4 



My personal favorite. 

• supports a few different radios as well as a serial protocol 

• mcl3224v serial device firmware: Iinux802154-serialdev 

• creates standard network devices (ifconfig wpanO up) 

• has a monitor device so you can use tcpdump/wireshark 
directly on wpanO to sniff 

• good start on 802.15.4 mac layer (assoc. disassoc. acks etc..) 



Lind6LowPAN 

Lind6LowPAN = Linux 6LowPAN 
• it doesn't exist yet, but it should 
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Lind6LowPAN 



Lind6LowPAN = Linux 6LowPAN 

• it doesn't exist yet, but it should 

• Where does the 'd' come from? 

• the 'd' is what makes it funny. 




6LowHACK 

6LowHACK is a sketchy set of patches I made to the current 
802.15.4 in Linux that implements enough 6LowPAN to do 
uncompressed IPV6 with no fragments (if you are talking to 
Contiki nodes). 

http : //devl . org/pipermail/mcl322x/2010-March/000215 .html 

With 6LowHACK you can: 

izattach /dev/ttyUSBl 

iz add wpan-phyO 

ifconfig wpanO mtu 1280 

ip link set wpanO address 66:66:66:66:66:66:66:66 arp on 

ip -6 address add f e80 :: 6466 : 6666 : 6666: 6666/64 dev wpanO 

ifconfig wpanO up 

iz assoc wpanO Oxabcd 1 11 ; sleep 1 ; killall iz 

Then, for instance, start a udp server with socat, and receive 
messages from Contiki's udp-client. Or ping the Contiki node. 
Contiki and Linux will do all of the IPV6 neighbor discovery, 
radvd and UIP RS/RA should work too. 



Duty Ratio of different power states 



Assume a fix set of states that you continuously cycle through over 
a fixed period. 

For the MC13224v, some useful states to think about are: sleep, 
run, TX, and RX. 

For each state, the duty ratio of that state is: 

D - — 

If P n is the instantaneous power used in that state (assuming P n is 
constant), then the average power consumed over the cycle is: 

< Ptot >= D l P l + D 2 P 2 + ... + D n P n 



D and P 



D Tl is determined by your code/application. 
And, 

P n = VI n 
So, 

< Ptot >= D l P l + D 2 P 2 + ... + D n P n 

< Ptot >= ViDih + D 2 I 2 + .- + D n I n ) 

< P tot >= V < I tot > 
Let's talk about V first. 



V 



Generally, you want V to be low and constant (regulated). 

• The mcl3224v core can run at 2.0V. 
Consider these two types of voltage down-conversion: 

• linear 

• switch-mode 

• MC13224v includes a buck converter — everything but the 
inductor. 



Linear regulator 



'- © 



n 



"out — V out ' ^ 

Pin = V d d ■ i 
Pout _ V ou t 



Note, if i is fixed, (e.g. load is a 
microcontroller not a resistor), 
then Vout doesn't matter as the 
total power used depends only on 
V dd (and i). 

In other words, even if you reduce 
Vout so that the mcl3224v is 
using less power, you achieve that 
by using that power in the 
regulator instead. 



Switch-mode regulator 
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• L and C looks like a low-pass filter from input to output 

• If you switch fast enough then 



V. 



out 



DV 



m 



where D is the duty-ratio of the high side switch. 

• Switches don't consume power (on V=0, off 1=0) 

• Inductors and capacitors don't consume power either. 

• Since nothing consumes power, r\ = 1 



Switch-mode regulator, cont'd 



Of course, it real-life, 77 ^ 1: 

• Switches: commutation, conduction, gate capacitance... 

• Inductors: magnetic core loss, ESR... 

• Caps: ESR, dielectric loss... 

But you can get close (mcl3224v buck is « 0.8) 

And more importantly now can lower V ou t ar| d do better since rj is 

relatively constant vs. V; n and V out . 

The mcl3224v buck will handle lowering V ou t to 2v0. But if we 

are using the linear regulator (e.g. 4v2 LiPo cell in JP13) then we 

want to raise Vbat to be as high as possible (3v6) so that the 

linear regulator burns as little as possible. 



Mode jumpers: 3v55 




RedBee - EconoTAG 

http://mcl322x.devl.org 

http://uuu.reduirellc.com 



OAOPAQPAQ£ 

/ooooooooc 



Short JP11 to set regulator to output 3v55: 

• Do this when using the buck and powering through the 
regulator (power from JP13 or USB) 



Buck: Populate inductor LI 




Buck: cut JP27, populate D2 




.and then configure the software 
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.and then configure the software 



This page intentionally left blank 
Because Mar hasn't started reversing this yet. 
...he's waiting for someone else to it... 



Current and duty ratio 



Can't really control the current side of things too much, but we 
can use the numbers to help guide certain trade-offs 



"Is using Doze vs. Hibernate going to make a big difference?" 

"Should I use NCD or DCD demodulation?" 

"How often should I wake up to do stuff?" 

< Ptot >= V(Dih + D 2 I 2 + .- + D n I n ) 



Observations and examples 



Let's find where the power consumption due to run mode equals 
the consumption due to sleep mode: 



-L'run^run 1^ sleep ^sleep 

And express this as the runtime as a percent of sleep time: 

-Urun ^sleep 

L* s leep Iran 



Sleep current and run current 



Let's say that you have a choice to work hard and get a low sleep 
current, or be lazy and have a high sleep current (or you need a 
very good time base while sleeping): 

J-sleep,low = ^UA 

Isleep,high = lOOuA 

And while running your can either mostly use the radio, or mostly 



not: 



J-run, radio — OIllA 
^run,noradio OU1TLA 



How long to sleep for? 

-L-'run __ 
-'-'sleep 

,. 100/xA 





5mA 


radio, high sleep = 


100/xA 
50mA 


no radio, low sleep = 


2/iA 

5mA 


radio, low sleep - 


2/zA 



0.2% 



0.04% 



0.004% 



Keeping numbers like this in mind will help you optimize the right 
things and answer questions like "am I sleeping enough?" 



